tag:blogger.com,1999:blog-70615680545403012992016-12-06T23:10:33.327+00:00Dinis Cruz BlogA personal blog about: transforming Web Application Security into an 'Application Visibility' engine, the OWASP O2 Platform, Application/Data interoperability and a lot moreDinis Cruznoreply@blogger.comBlogger1232125tag:blogger.com,1999:blog-7061568054540301299.post-16445343839784599732016-12-03T08:42:00.001+00:002016-12-03T08:42:51.510+00:00Please help to set the date for the next OWASP DevSecCon Summit. Great description of OWASP Summits<div dir="ltr">Hi, we are in the final stages of choosing the date for the next OWASP Summit and it would be great if you chipped in with your preference.<br /><div><br /></div><div>Please use the&nbsp;<a href="http://doodle.com/poll/e8d4p955rc8guuru">http://doodle.com/poll/e8d4p955rc8guuru</a> doodle and join the other 44 participants.</div><div><br /></div><div>The OWASP Summit is starting to shape up quite nicely with already a number of good workshops ideas in the works. Please check them out at&nbsp;<a href="https://github.com/OWASP/owasp-devseccon-summit/tree/master/Workshops">https://github.com/OWASP/owasp-devseccon-summit/tree/master/Workshops</a> and help to make them better:</div><div><ul><li>what topic is missing?</li><li>who should be at those workshops?</li><li>what should the participants focus on?</li><li>what should the be objectives/outcomes?</li></ul></div><div>If you have not been to an OWASP Summit before (i.e the <a href="https://www.owasp.org/index.php/OWASP_EU_Summit_2008">2008</a> and <a href="https://www.owasp.org/index.php/Summit_2011">2011</a> editions) please see below a great description of what they are (from an email sent by Abraham Kang on 6 Apr 2012).</div><div><br /></div><div>Thanks for your help</div><div><br /></div><div>Dinis, Seba &amp; Francois</div><div><br /></div><div>----------------------------------------</div><div><br /></div><div><div>Although, I agree with Jim in spirit. &nbsp;</div><div><br /></div><div>I have to admit that I was able to get things accomplished at the 2011 Summit that would have taken longer had I not attended the Summit.</div><div><br /></div><div>I was kind of Stuck on the DOM based XSS cheat sheet because there were just so many existing ways and new ways of exploiting DOM based XSS.&nbsp; I was lost in trying to understand the exploiting instead of focusing on the Mitigating.&nbsp;</div><div><br /></div><div>The Summit gave me an opportunity to work with some of top guys &nbsp;( Jim Manico, Stefano Di Paola, Robert Hansen, Gareth Hazes, &nbsp;Chris Schmidt, &nbsp;Mario Heiderich, Eduardo Nava, Achim Hoffman, John Stevens, Arian Evans, Mike Samuel, Jeremy Long, Dinis Cruz, and others please forgive me if I forgot to mention you) in Web security to get their ideas and refine mine. &nbsp;</div><div>I also was able to bring up issues that were affecting adoption by large enterprises of OWASP materials with Jeff Williams and others.</div><div><br /></div><div>Finally, I was also able to meet the people interested in OWASP Web Development Guide (which I have been trying to reboot but having started a new job have failed to make much progress on) to discuss issues related to the guide and try to address them.</div><div><br /></div><div>All of this would have been impossible to do without the summit.</div><div><br /></div><div>I was also hoping to suggest that this year we try to bring other security members of the community that haven't traditionally participated (iSec Partners, Gotham Digital Science, etc.) in OWASP to the summit as I have great respect for those guys and think they could contribute greatly to the success of OWASP. &nbsp;</div><div><br /></div><div>The conference is viewed as being private but I thought it was open to anyone interested in contributing to OWASP.&nbsp; I think people would be willing to pay to attend a conference where they could speak to other leaders in informal meetings on topics of interest and provide the additional benefit of OWASP deliverables.</div><div><br /></div><div>We are a very disperse group, it helps to get people together to work things out, discuss and see the other people as human beings. I have to admit that the conference was also a lot of fun.&nbsp; I got to laugh with people I would have never had the chance to before this.&nbsp; Jokes don't seem to go over as well when they are made over email.&nbsp; I got to hear stories of (Larry's or Chris's -- the last names have been omitted to protect the Guilty) midget experiences/encounters.&nbsp; I got to know of other people skeleton's in their closets. &nbsp;</div><div><br /></div><div>This allowed all of us to bond in a way that couldn't happen without a conference like this.</div><div><br /></div><div>Another benefit of these types of interactions is that everyone that attended last summit was involved with an OWASP project (which may be a good requirement).&nbsp; I met Andras (my German brother) of WS-Attacks.org and although I haven't done a good job of it yet, I was hoping to reboot the OWASP Web Development Guide (I will send another email on that thread to explain my struggles) and see if I could use the content from WS-Attacks.org in the new guide (seeing as I did the translation revision for Andras) for the Web Services chapter.&nbsp; If I didn't attend the Summit I wouldn't have met him and made this connection.</div><div><br /></div><div>Yes there were a couple of things that could have been handled better related to the usurping of funds from individual Chapter's accounts and we probably could have spent less money on the incidentals but there is great value in the Summit.</div><div><br /></div><div>OWASP Rocks!</div><div><br /></div><div>Warmest Regards,</div><div>Abe</div><div><br /></div><div>Sorry for being so long winded.</div></div></div>Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-77049459674810318222016-12-01T23:09:00.001+00:002016-12-01T23:09:27.098+00:00Please review the 'Hacking Portugal' book available on Amazon (paperback and Kindle)My <a href="https://www.amazon.co.uk/Hacking-Portugal-Making-Software-Development/dp/1540743632">'Hacking Portugal'</a>&nbsp;book is now available on Amazon and I would really appreciate your feedback and ideally an book review :)<br /><br />Here is the Amazon page: <a href="https://www.amazon.co.uk/Hacking-Portugal-Making-Software-Development/dp/1540743632">https://www.amazon.co.uk/Hacking-Portugal-Making-Software-Development/dp/1540743632</a><br /><br />You can download the PDF for free at <a href="https://github.com/DinisCruz/Book_Hacking_Portugal/releases">LeanPub</a>&nbsp;or from <a href="https://github.com/DinisCruz/Book_Hacking_Portugal/releases/tag/v1.2-Amazon">GitHub</a><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://www.amazon.co.uk/Hacking-Portugal-Making-Software-Development/dp/1540743632/"><img border="0" height="324" src="https://2.bp.blogspot.com/-8RJBeDnSXwA/WECsVzL9kbI/AAAAAAAAMq0/Swky57iB-fUjneIskm_pvqV5GWxrexDSQCLcB/s640/Screen%2BShot%2B2016-12-01%2Bat%2B23.03.24.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">This is my first book published at Amazon, and I have to admit that I'm quite proud of it :)</div><br />This book is based on the <a href="http://blog.diniscruz.com/2016/11/presentation-hacking-portugal-and.html">"Hacking Portugal and making it a global player in Software development"</a> presentation I delivered at that BSidesLisbon and C-Days conferences (November 2016). All content is released under an Creative Commons licence at the <a href="https://github.com/DinisCruz/Book_Hacking_Portugal/">Book_Hacking_Portugal</a>&nbsp;GitHub repoDinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-44024752432647043532016-11-29T06:38:00.002+00:002016-11-29T06:38:54.571+00:00Published 'Hacking Portugal' BookI just published the '<a href="https://leanpub.com/hacking-portugal/">Hacking Portugal</a>' book which is based on the&nbsp;<a href="http://blog.diniscruz.com/2016/11/presentation-hacking-portugal-and.html">"Hacking Portugal and making it a global player in Software development</a>" &nbsp;presentation I delivered at BSidesLisbon in November 2016.<br /><br />You can get it at&nbsp;<a href="https://leanpub.com/hacking-portugal/">https://leanpub.com/hacking-portugal/</a><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://leanpub.com/hacking-portugal/"><img border="0" height="369" src="https://2.bp.blogspot.com/-HPNXzh11PhI/WD0fyQu0BII/AAAAAAAAMoY/BiS3wRNA84gB0B8epG6laTs-aHe9StwxACLcB/s640/Screen%2BShot%2B2016-11-29%2Bat%2B06.26.50.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;"></div><a name='more'></a>All text is released under an Creative Commons license. Please submit any feedback, ideas or fixes at&nbsp;<a href="https://github.com/DinisCruz/Book_Hacking_Portugal">https://github.com/DinisCruz/Book_Hacking_Portugal</a><br /><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Here are the text from the introduction&nbsp;</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both;"><b>Introduction</b></div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">This book is based, and expands, on a presentation given at BSidesLisbon on 9 November 2016.</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">The ideas I consider here look to the future, as some of the concepts are too radical until the AppSec problem becomes much bigger. They are ideas for a future when solutions are wanted.</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">As technology and software become more and more important to Portuguese society, it is time for Portugal to take them more seriously, and become a real player in that world. This book discusses several ideas to make Portugal a place where programming, TDD, Open Source, learning how to code, hacking (aka bug-bounty style), and DevOps receive the consideration, investment and respect that they deserve. Application Security can act as an enabler for this transformation, due to its focus on how code and apps work, and its enormous advances in secure-coding, testing, dev-ops and quality.</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;"><b>Why I’m doing this</b></div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">I have been studying this area, and its various challenges and possibilities, for some time, and for many reasons.</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">The current economic model is not working for secure code and secure software development, and it is not working for many parts of the general population. In many cases, it doesn’t make business sense to spend the time and effort creating secure code, because the customer cannot measure it. I believe we must innovate our way out of this problem.</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">I have considerable experience working in the AppSec industry, and this allows me to see the problems coming down the line. However, the same experience also allows me to see solutions to the problems, and I want to share and discuss my ideas for these solutions. Moreover, I want to create a safe future for our kids.</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;"><b>Summary of Chapters</b></div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">In 'Portuguese network to be hostile to insecure code’, I discuss the possibility of Portugal becoming a hostile place to create, publish or host insecure apps or IoT appliances. The creation of a safe internet in Portugal is possible, but it will need the support and input of Creative Commons, regulatory and market forces, and communities, for it to work. We need new ideas and different perspectives for this to succeed.</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">‘Hackers’ considers the term 'hackers’, as opposed to 'attackers’, and discusses how hacking can help to create a secure internet for Portugal. The sound ethical values of the hacking community can inspire the next generation of internet users.</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">‘How Secure is Portugal’ examines how Portugal, despite being a digital country with a great dependence on software, has many vulnerabilities and exploitable assets, which make it highly vulnerable to cyber-attack in the future. Implementing the correct measures, for example by utilizing and increasing the InfoSec and AppSec talent available in Portugal, will help to mitigate the risk of attack.</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">‘Portuguese Hacking Service’ suggests that 15-20 year olds should undertake their 'Hacking Service’, a new version of the former Portuguese Military Service. The chapter also looks at the Portuguese military budget, and argues that a percentage of it should be diverted into virtual battles against cyber-attacks on Portuguese assets. Everyone should learn to hack, including criminals and retired people, for the general benefit of Portuguese Government, business, and society. New structures like a ‘Portuguese Hackathon League’ would develop Portugal into a country as famous for hacking as it is for football.</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">‘Portuguese Innovations’ looks to the glorious history of Portuguese innovation, from the Carrack ship to marmalade, to the more recent success of drugs decriminalization in Portugal, which has dramatically reduced the rate of drugs overdoses and drug-related deaths.</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">‘Leader in cyber and application security’ looks to the future of Portuguese innovation, and notes that where Portugal led the way in maritime navigation and innovation in the past, it should now become a world leader in coding and AppSec. The chapter offers some pointers to developers. It also describes cyber security as a public health problem, and states that the techniques used to train cyber security specialists should resemble those used to train medical professionals.</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">‘Privacy’ discusses the importance of privacy to the individual. It notes how cryptography can help the individual to control their data, in a world where some governments and businesses act to reduce, or remove, the technological privacy of the citizen.</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">The chapter goes on to consider the need for disclosure in companies, and the role whistleblowers have to encourage disclosure and improve how markets work. We need legislation that protects whistleblowers and compels disclosure, to create an environment where there is maximum privacy for the individual, and maximum transparency for companies. The way the music industry resisted technological innovation is used as an example of the negative consequences of secrecy and non-disclosure.</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">‘Open Source’ develops the ideas discussed in 'Privacy’, and notes the importance of openness and transparency to the success of the arguments presented. Programs such as OWASP, Git, and FOSS can help to achieve the desired level of transparency. The chapter discusses the need for Open Source to become a lingua franca, and it suggests specific legislative changes to increase transparency at government and corporate level.</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">‘Government’ acknowledges the role of government as a benign influence to effect change. The chapter recommends the establishment of a Ministry of Code and a Software Testing Institute, but warns that these must be matched by sensible regulation and governance. It also proposes a Clear Software Act, focused on code quality and security. Bug bounties are suggested, and the role of the insurance industry discussed. The European Union, and the creation of new currencies for weaker economies, are also treated.</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">‘Why Portugal’ explains why, from its size to its culture and economy, Portugal is the best location to implement the ideas presented in this book. The chapter concludes with the options facing Portugal: to become a holiday destination, or a Powerhouse of Technology, ready to lead the world in code and security.</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">‘Actions and Recommendations’ summarises the actions and recommendations suggested throughout the book.</div>Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-35424119209922613782016-11-18T22:47:00.001+00:002016-11-18T22:47:29.879+00:00Presentation: Veracode Automation CLI (using Jenkins for SDL integration)Here is a presentation about an secure CI workflow that I'm working on.<br /><br />The key parts are the Veracode CLI developed (see <a href="https://github.com/DinisCruz/veracode-api">veracode-api</a>) and the couple Jenkins projects which use the Veracode engine in a 'concurrent scanner' model.<br /><br />Let me know what you think of it:<br /><br /><a name='more'></a><iframe allowfullscreen="" frameborder="0" height="640" marginheight="0" marginwidth="0" scrolling="no" src="//www.slideshare.net/slideshow/embed_code/key/lbgZTM32er2Oon" style="border-width: 1px; border: 1px solid #ccc; margin-bottom: 5px; max-width: 100%;" width="100%"> </iframe> <br /><div style="margin-bottom: 5px;"><strong> <a href="https://www.slideshare.net/DinisCruz/veracode-automation-cli-using-jenkins-for-sdl-integration" target="_blank" title="Veracode Automation CLI (using Jenkins for SDL integration)">Veracode Automation CLI (using Jenkins for SDL integration)</a> </strong> from <strong><a href="https://www.slideshare.net/DinisCruz" target="_blank">Dinis Cruz</a></strong> </div>Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-51584078715601066102016-11-11T18:04:00.000+00:002016-11-29T06:51:05.225+00:00Presentation "Hacking Portugal and making it a global player in Software development"UPDATE: See <a href="http://blog.diniscruz.com/2016/11/published-hacking-portugal-book.html">Hacking Portugal</a> book for an expanded and updated version of these ideas<br /><hr /><br />Here is the presentation I delivered today at&nbsp;<a href="http://bsideslisbon.org/">BSidesLisbon</a><br /><br />There is an extended version of these ideas on this <a href="https://github.com/DinisCruz/keynote-bsideslisbon">GitHub repo</a>&nbsp;which you can read online at:&nbsp;<a href="https://diniscruz.github.io/keynote-bsideslisbon/">https://diniscruz.github.io/keynote-bsideslisbon/</a><br /><br /><b>Description:&nbsp;</b><i>As technology and software becomes more and more important to Portuguese society it is time to take it seriously and really become a player in that world. Application Security can act as an enabler, due to its focus on how code/apps actually work, and its enormous drive on secure-coding, testing, dev-ops and quality. The same way that Portuguese navigators once looked at the unknown sea and conquered it, our new digital navigators must do the same with code. This presentation will provide a number of paths for making Portugal a place where programming, TDD, Open Source, learning how to code, hacking (aka bug bounty style) and DevOps are first class citizens.</i><br /><a name='more'></a><br /><iframe allowfullscreen="" frameborder="0" height="605" marginheight="0" marginwidth="0" scrolling="no" src="//www.slideshare.net/slideshow/embed_code/key/md7c5XKP3PrYyi" style="border-width: 1px; border: 1px solid #ccc; margin-bottom: 5px; max-width: 100%;" width="100%"> </iframe> <br /><div style="margin-bottom: 5px;"><strong> <a href="https://www.slideshare.net/DinisCruz/hacking-portugal-v10" target="_blank" title="Hacking Portugal v1.0">Hacking Portugal v1.0</a> </strong> from <strong><a href="https://www.slideshare.net/DinisCruz" target="_blank">Dinis Cruz</a></strong> </div>Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-15373312628761126302016-11-07T17:34:00.000+00:002016-11-07T17:34:03.311+00:00Relationship with existing standardsIt is important have a good understanding of how a company's Risk profile maps to existing security standards alike PCI DSS, HIPAA, and others.<br /><br />Most companies will fail these standards when their existing 'real' RISKs are correctly identified and mapped. This explains the difference between being 'compliant' and being 'secure'.<br /><br />Increasingly, external regulatory bodies and laws require some level of proof that companies are implementing security controls.<br /><br /><a name='more'></a>To prevent unnecessary delays or fines, these requirements should be embedded in the process in the form of regular scans, embedded controls (e.g. in the default infrastructure), or in user stories.<br /><br />For example, in DevOps environments all requirements related to OS hardening should be present in the default container. Development teams should not have to think about them.<br /><div style="font-family: times;"><i><br class="Apple-interchange-newline" /><br class="Apple-interchange-newline" />(from&nbsp;<a href="https://leanpub.com/secdevops">SecDevOps Risk Workflow</a>&nbsp;book, please provide feedback as an&nbsp;<a href="https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/issues">GitHub issue</a>)</i></div><br /><br /><div style="font-family: times;"><div style="margin: 0px;"></div></div><br /><br /><div style="-webkit-text-stroke-width: 0px; color: black; font-family: Times; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></div><div style="-webkit-text-stroke-width: 0px; color: black; font-family: Times; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></div>Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-8772530398392020642016-11-07T08:30:00.000+00:002016-11-07T08:30:13.052+00:00I don't know the security status of a websiteLack of data should affect decision-making about application security.<br /><br />Recently, I looked at a very interesting company that provides VISA compatible debit-card for kids, which allows kids to get a card whose budget can be controlled online by their parents. There is even a way to invest in the company online via a crowdfunding scheme.<br /><br />I looked at this company as a knowledgeable person, able to process security information and highly technical information about the application security of any web service. But I was not able to make any informed security decision about whether this service is safe for my kids. I couldn't understand the company's level of security because they don't have to publish it and, therefore, I don’t have access to that data.<br /><br /><a name='more'></a>As a result, I must take everything on the company's website at face value. And because there is no requirement to publish any real information about their product, the information given is shaped by the company’s marketing strategy. I have no objective way of measuring whether the company has good security across their SDL, has good SecDevOps capabilities, if are there are any known security risks I should be aware, or more importantly, if my kids' data is protected and secure.<br /><br />This means that my friends who recommended that service to me are even worse off than I am. They are not security savvy users and they can only rely on the limited information given on the company's website.<br /><br />If there are three or four competing services at any moment in time, they will not be able to compete on the security of their product. It is not good enough if a company only invests in security in case security becomes a problem, or causes embarrassment in the future. It is like saying, "Oh, let's not pollute our environment because we might get caught".<br /><br />In business today, security issues are directly related to quality issues. Application security could be used to gain a good understanding of what is going on in the company, and whether it is a good company to invest in, or a good company to use as a consumer.<br /><br />This approach could scale. If I found problems, or if data was open, I could publish my analysis, others could consume it, and this would result in a much more peer-reviewed workflow for companies.<br /><br />This reflects my first point: if I can’t understand a company's level of security because they don't have to publish it, this should change. And if it does, it will change the market.<br /><br />Having a responsible disclosure program or public bug bounty program is also a strong indicator of quality and security.<br /><br />In fact, a company that doesn't have a public bug bounty program is telling the world that they don't have an AppSec team.<br /><div style="font-family: times;"><i><br class="Apple-interchange-newline" /><br class="Apple-interchange-newline" />(from&nbsp;<a href="https://leanpub.com/secdevops">SecDevOps Risk Workflow</a>&nbsp;book, please provide feedback as an&nbsp;<a href="https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/issues">GitHub issue</a>)</i></div><br /><br /><div style="font-family: times;"><div style="margin: 0px;"></div></div><br /><div style="-webkit-text-stroke-width: 0px; color: black; font-family: Times; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></div><div style="-webkit-text-stroke-width: 0px; color: black; font-family: Times; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"></div>Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-23821384841422673802016-11-06T21:56:00.004+00:002016-11-06T21:57:23.676+00:00Published "SecDevOps Risk Workflow" book (v0.65)<a href="https://4.bp.blogspot.com/-2sbUB3bLUvw/WAK-67yZGnI/AAAAAAAAMO0/PmK5E5wurfI7TFTmtO6X6znsJzXO1sApwCPcB/s1600/Screen%2BShot%2B2016-10-16%2Bat%2B00.42.10.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="178" src="https://4.bp.blogspot.com/-2sbUB3bLUvw/WAK-67yZGnI/AAAAAAAAMO0/PmK5E5wurfI7TFTmtO6X6znsJzXO1sApwCPcB/s320/Screen%2BShot%2B2016-10-16%2Bat%2B00.42.10.png" width="320" /></a>I just published version v0.65 of the SecDevOps Risk Workflow book.<br /><br />You can get the book (for free) at <a href="https://leanpub.com/secdevops">https://leanpub.com/secdevops</a> (when you become a reader you will get email alerts with every release)<br /><br />The <a href="https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/compare/v0.63...v0.65">diff for this version (with v0.63)</a>&nbsp;shows 115 commits, 59 changed files, 545 additions and 355 deletions.<br /><br /><a name='more'></a>Here are the main topics created or updated:<br /><ul><li>“The Pollution Analogy”</li><li>“Risk Workflow for Software Vendors”</li><li>“Security Champions Involved In Decisions”</li><li>“Is The Decision Hyper Linked”</li><li>“Horizontal Dev Ops”</li><li>“Good Managers Are Not The Solution”</li><li>“Feedback Loops”</li><li>“Learning resources”</li><li>“Abusing the concept of RISK”</li><li>“Make sure your Security Champions are given time”</li><li>“Using Git as a Backup Strategy”</li><li>“Threat Model per Feature”</li><li>“Threat Model Confirms Pen Test”</li><li>“Can’t do Security Analysis when doing Code Review”</li><li>“Employ Graduates to Manage JIRA”</li><li>“Linking source code to Risks”</li><li>“Why GitHub and JIRA?”</li><li>“Risk Dashboards and emails”</li><li>“The Authentication micro-service cache incident”</li></ul><div><br />Please submit any issues or suggestions at&nbsp;<a href="https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/issues">https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/issues</a></div>Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-36652305276584003462016-11-06T17:31:00.000+00:002016-11-06T17:31:01.458+00:00Creating better briefsDevelopers should use the JIRA workflow to get better briefs and project plans from management. Threat Models are also a key part of this strategy.<br /><br />Developers seldom find the time to fulfil the non-functional requirements of their briefs. The JIRA workflow gives developers this time.<br /><br />The JIRA workflow can help developers to solve many problems they have in their own development workflow (and SDL).<br /><div style="font-family: times;"><i><br class="Apple-interchange-newline" /><br class="Apple-interchange-newline" />(from&nbsp;<a href="https://leanpub.com/secdevops">SecDevOps Risk Workflow</a>&nbsp;book, please provide feedback as an&nbsp;<a href="https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/issues">GitHub issue</a>)</i></div><br /><br /><div style="font-family: times;"></div><div style="-webkit-text-stroke-width: 0px; color: black; font-family: Times; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"></div>Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-70302214428396644762016-11-06T13:30:00.000+00:002016-11-06T13:30:04.873+00:00Cloud SecurityOne way in which cloud security differs from previous generations of security efforts, such as software security and website security, is that in the past, both software and website security were almost business disablers. The more features and the more security people added, the less attractive the product became. There are very few applications and websites that make the client need more security to do more business, which results in the best return on investment.<br /><br />What’s interesting about cloud security is that it might be one of the occasions where security is a business requirement, because a lack of security would slow down the adoption rate and prevent people from moving into the cloud. Accordingly, people care about cloud security, and they invest in it.<br /><br /><a name='more'></a>While thinking about this I realized that the problem with security vulnerabilities in the cloud is that any compromise doesn’t just affect one company, it affects all the companies hosted in the cloud. It’s a much bigger problem than the traditional scenario, where security incidents resulted in one company being affected, and the people in that company worked to resolve the problem. When an incident happens in the cloud, the companies or assets affected are not under the control of their owners. The people hosting them must now manage all these external parties, who don’t have any control over their data, but who can’t work because their service is down or compromised. The problem is horizontal; a Company A-driven attack will affect Companies B, C, D, E, F, all the way to X, Y, Z. As a result, it’s a much tougher problem to solve.<br /><br />While catastrophic failures are tolerated in normal websites and applications, cloud-based worlds are much less tolerant. A catastrophic failure, where everything fails or all the data is compromised or removed, means the potential loss of that business. That hasn’t happened yet, but doubtless it will happen. Cloud service companies will then have to show that they care more about security than the people who own the data.<br /><br /><b>Cloud providers care more than you</b><br /><br />One of the concepts that Bruce Schneier talked about at the OWASP IBWAS conference in Spain is that a cloud service cares more about the security of their customers than the customer does. This makes sense since their risk is enormous.<br /><br />In the future, cloud companies will be required to demonstrate this important concept. They should be able to say, “Look, I have better systems in place than you, so you can trust me with your data. I can manage more data for you than you can”. This will be akin to the regulatory compliance that handles data in the outside world.<br /><br />One way to do this is with publishing of RISK data and dashboards (see OWASP Security Labelling System Project).<br /><br />You can imagine a credit card company wanting or needing to demonstrate this. But you can also see the value of it to the medical industry, or any kind of industry that holds personal information. If a company can't provide this type of service it must outsource the service, but to be able to do that the security industry must become more transparent. We need a lot more maturity in our industry, because companies need to show that they have adequate security controls. It is not sufficient to be declared compliant by somebody who goes for the lowest common denominator, gets paid, and tells the company it's compliant.<br /><br />Genuinely enhanced visibility of what’s going on will allow people to measure what’s happening, and then make decisions based on that information. The proof of the pudding will not be how many vulnerabilities the cloud companies have, but how they recover from incidents.<br /><br />The better a company can sustain an attack, the better that company can protect data. A company who says, “I received x, y, z number of attacks and I was able to sustain them and protect them this way” is more trustworthy than the company that is completely opaque. The key to making this work is to create either technology, or standards of process, that increase the visibility of what is going on.<br /><div style="font-family: times;"><i><br class="Apple-interchange-newline" /><br class="Apple-interchange-newline" />(from&nbsp;<a href="https://leanpub.com/secdevops">SecDevOps Risk Workflow</a>&nbsp;book, please provide feedback as an&nbsp;<a href="https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/issues">GitHub issue</a>)</i></div><br /><div style="font-family: times;"></div><br /><div style="-webkit-text-stroke-width: 0px; color: black; font-family: Times; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></div><div style="-webkit-text-stroke-width: 0px; color: black; font-family: Times; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></div>Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-62294693960617068822016-11-06T10:30:00.000+00:002016-11-06T10:30:30.937+00:00Feedback loops are keyA common error occurs when the root cause of newly discovered issues or exploits receives insufficient energy and attention from the right people.<br /><br />Initially, operational monitoring or incident response teams identify new incidents. They send the incidents are to the security department, and after some analysis the development teams receive them as tickets. The development teams receive no information about the original incident, and are therefore unable to frame the request in the right perspective. This can lead to suboptimal fixes with undesired side effects.<br /><br /><a name='more'></a>It is beneficial to include development teams in the root cause analysis from the start, to ensure the best solutions can be identified.<br /><br /><div style="font-family: times;"><i><br class="Apple-interchange-newline" />(from&nbsp;<a href="https://leanpub.com/secdevops">SecDevOps Risk Workflow</a>&nbsp;book, please provide feedback as an&nbsp;<a href="https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/issues">GitHub issue</a>)</i></div><br /><div style="font-family: times;"></div><br />Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-83941735143951299842016-11-05T17:28:00.000+00:002016-11-05T17:28:09.334+00:00Understand Every Project's Risks<span style="font-family: &quot;times&quot;;">It is essential that every developer and manager know what risk game they are playing. To fully know the risks, you must learn the answers to the following questions:</span><br /><ul><li>what is the worst-case scenario for the application?</li><li>what are you defending, and from whom?</li><li>what is your incident response plan?</li></ul><span style="font-family: &quot;times&quot;;">Always take advantage of cases when you are not under attack, and you have some time to address these issues.</span><br /><div style="font-family: times;"><i><br /></i><i><br class="Apple-interchange-newline" />(from&nbsp;<a href="https://leanpub.com/secdevops">SecDevOps Risk Workflow</a>&nbsp;book, please provide feedback as an&nbsp;<a href="https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/issues">GitHub issue</a>)</i></div><div style="font-family: times;"><i><br /></i></div><div style="font-family: times;"><i><br /></i></div>Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-73981444959277323112016-11-05T13:00:00.000+00:002016-11-05T13:00:24.134+00:00Using logs to detect risks exploitationAre your logs and dashboards good enough to tell you what is going on? You should know when new and existing vulnerabilities are discovered or exploited. However, this is a difficult problem that requires serious resources and technology.<br /><br />It is crucial that you can at least detect known risks without difficulty. Being able to detect known risks is one reason to create a suite of tests that can run against live servers. Not only will those tests confirm the status of those issues across the multiple environment, they will provide the NOC (Network Operations Centre) with case studies of what they should be detecting.<br /><b></b><br /><a name='more'></a><b>Beware of the security myth</b><br /><br />Often, no special software or expertise is needed to identify basic, potential, bad behavior. Usually, companies already have all the tools and technology they need in-house. The problem is making those tools work in the company's reality. For example, if someone accesses 20 non-existing pages per second for several minutes, it is most likely they are brute-forcing the application. You can easily identify this by monitoring for 404 and 403 errors per IP address over time.<br /><br /><div style="-webkit-text-stroke-width: 0px; color: black; font-family: Times; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"></div><div></div><br /><div style="-webkit-text-stroke-width: 0px; color: black; font-family: Times; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"></div><br /><div style="-webkit-text-stroke-width: 0px; color: black; font-family: times; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><div style="margin: 0px;"><i><br /></i></div><div style="margin: 0px;"><i><br class="Apple-interchange-newline" />(from&nbsp;<a href="https://leanpub.com/secdevops">SecDevOps Risk Workflow</a>&nbsp;book, please provide feedback as an&nbsp;<a href="https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/issues">GitHub issue</a>)</i></div><div style="margin: 0px;"><i><br /></i></div><div style="margin: 0px;"><i><br /></i></div></div>Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-73962758902729201262016-11-05T10:00:00.000+00:002016-11-05T10:00:23.598+00:00Capture knowledge when developers look at codeIt is vital that when a developer is looking at code, he can create tickets for 'things noticed' without difficulty. For example, 'things noticed' include methods that need refactoring, complex logic, weird code, hard-to-visualize architecture, etc. If this knowledge is not captured, it will be lost.<br /><br />The developer who notices an issue, and opens a ticket for the issue, will be unable to do anything about it at that moment in time, since he will already be focused on resolving another bug.<br /><br /><a name='more'></a>Instead, more junior developers, graduate employees or interns could take responsibility for opening and managing these tickets.<br /><br />They could even try to address the issues in the first instance, because the developer is responsible for merging the PRs.<br /><br /><div style="font-family: times;"><i><br class="Apple-interchange-newline" />(from&nbsp;<a href="https://leanpub.com/secdevops">SecDevOps Risk Workflow</a>&nbsp;book, please provide feedback as an&nbsp;<a href="https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/issues">GitHub issue</a>)</i></div><br /><div></div><br /><div style="-webkit-text-stroke-width: 0px; color: black; font-family: Times; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><div style="margin: 0px;"><i><br /></i></div></div>Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-5496343134871286472016-11-04T17:30:00.000+00:002016-11-04T17:30:03.791+00:00Describe Risks as Features rather than as WishesWhen opening a risk JIRA ticket, it is essential to describe the exact behavior of that issue as a feature, rather than describing what you would like to see happening (i.e. your wish list).<br /><br />For example:<br /><ul><li>instead of saying 'application should encode XYZ value', you should say 'XYZ value is not encoded'</li><li>instead of saying 'application shouldn't be vulnerable to XSS or SQL injection', you should say 'application is vulnerable to SQL injection'. In this case, SQL Injection is a feature of the application, and while the application allows SQL Injection, the application is working as designed (whether that is intended or not is a different story).</li></ul><br />When we describe vulnerabilities, we describe features, because vulnerability is a feature of an application.<br /><br /><a name='more'></a>If an application has a direct object reference vulnerability (OWASP Top 10), then that is a feature that allows User A to access user B data (by design, using the capabilities of the application).<br /><br />For each of these cases, you should open risk tickets, since those risks represent existing features. Sometimes you open multiple risks for the same issue, allowing technical and business audiences to understand what is going on (SQL Injection doesn't mean a lot to management, but <i>'Access and modify all customer data'</i> does).<br /><br />I remember a funny story where we found SQL injection in a pentest, and when we presented the findings, the business responded: <i>'... well, that is not a critical issue, we have good backups, so that SQL injection is not dangerous'</i>. When we asked <i>'what if we can drop all tables?'</i> , they said <i>'We can recover from that very fast, no problem.'</i><br /><br />We argued 'well ... we can modify data' and they came back with, <i>'We have read-only access and we can protect it from there.'</i>. But finally, when we stated '<i>we can log in as any user with a typical SQL Injection payload of: or 1=1' ,&nbsp;</i>that connected the dots, and the business said <i>'we will fix that ASAP'</i><br /><br />The reason that example clicked was because we showed them how to bypass the business logic of the application using the SQL Injection 'feature'. They could tolerate, to a degree, data corruption or content changes. However, they reacted when they saw that the SQL Injection could bypass the application's business logic and break their non-repudiation capabilities (i.e. they would lose the ability to understand what a user did on the site).<br /><div style="font-family: times;"><i><br class="Apple-interchange-newline" /><br class="Apple-interchange-newline" />(from&nbsp;<a href="https://leanpub.com/secdevops">SecDevOps Risk Workflow</a>&nbsp;book, please provide feedback as an&nbsp;<a href="https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/issues">GitHub issue</a>)</i></div><div><i><br /></i></div><div><i><br /></i></div>Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-89461633309458512342016-11-04T08:30:00.000+00:002016-11-04T08:30:11.571+00:00The smaller the ticket scope the betterFor bugs and tasks, the smaller the bug the better.<br /><br />Having many small bugs and issues can be an advantage for the following reasons:<br /><br /><ul><li>easier to code</li><li>easier to delegate (between developers)</li><li>easier to outsource</li><li>easier to test</li><li>easier to roll back</li><li>easier to merge into upstream or legacy branches</li><li>easier to deploy</li></ul><br />It is better to put them in a special JIRA project(s) which can be focused on quality or non-functional requirements.<br /><br /><a name='more'></a>Of course, this needs to be rational and kept in context. You should only create a couple of each instance/pattern, particularly when they are not being fixed. In such cases, create a 'holding ticket' that will store references to all the individual issues, which is good for systemic vulnerabilities.<br /><br />You should also aggregate issues in Stories.<br /><div style="font-family: times;"><i><br class="Apple-interchange-newline" /><br class="Apple-interchange-newline" />(from&nbsp;<a href="https://leanpub.com/secdevops">SecDevOps Risk Workflow</a>&nbsp;book, please provide feedback as an&nbsp;<a href="https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/issues">GitHub issue</a>)</i></div><div style="font-family: times;"><i><br /></i></div>Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-46327951300416194402016-11-03T17:30:00.000+00:002016-11-03T17:30:21.931+00:00Collaboration TechnologiesThe following technologies are crucial for Security Champions and JIRA workflows to work efficiently:<br /><a name='more'></a><ul><li><b>Email</b> - good when used in moderation, especially when emails contain links to online resources</li><li><b>Mailing</b> lists - still the best collaboration tool, as they scale a lot, are easy to filter, they reach a wide audience, are a great way to motivate new Security Champions when they see their name on the list, and they allow interested parties (and older non-active Security Champions) to stay connected to what is going on</li><li><b>JIRA issues </b>- discussion threads provide a lot of information and details about specific topics</li><li><b>Wiki</b> - key to capture knowledge in a more structured and long-term environment. Remember that wikis require maintenance and should be curated so that they remain relevant and don't fall for the 'tragedy of the commons' problem. Wiki's should use JIRA issues as evidence of what is said.</li><li><b>Confluence</b> - when integrated with JIRA, it creates a powerful way to create dashboards that present the data stored in the JIRA tickets</li><li><b>Video conferences</b> - tools like Join.me, BlueJeans, Google Hangouts, and Skype are great ways to make remote working and participation possible</li><li><b>Slack</b> - real-time collaboration tools are key to allow questions to be easily asked, and to allow for asynchronous collaboration, and catching up on specific topics</li><li><b>Slack integrations</b> - very powerful workflows can occur when SDL tools (and CI pipelines) feed data into specific channels. This is not only a good way to get a sense of what is going on, but also a good way to alert for possible issues or attacks. It gets even better when these integrations are interactive:</li><ul><li><b>Hubot(s)</b> - is a great example of this (where it can listen to messages posted and respond to them)</li></ul><li><b>Log visualization</b> - tools like Splunk, ELK or Graphite, when supported by strong dashboards and visualizations, are one of the best ways to present information and collaborate</li><li><b>Diagram technologies</b>&nbsp;- Visio has been the gold standard for a long time (draw.io is a recent new player), but the problem is their lack of non-human readable data storage format. To promote collaboration and allow for 'revision of what changed since last analysis' (i.e. Diffs), diagramming technologies, created from textual descriptions, are much more powerful and useful, for example PlantUML or DOT (Graphwiz), which are easier to read (in source format) and can be stored in git (i.e. versioned controlled)</li></ul><div style="-webkit-text-stroke-width: 0px; color: black; font-family: Times; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"></div><br /><div style="-webkit-text-stroke-width: 0px; color: black; font-family: Times; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><i><br class="Apple-interchange-newline" />(from&nbsp;<a href="https://leanpub.com/secdevops">SecDevOps Risk Workflow</a>&nbsp;book, please provide feedback as an&nbsp;<a href="https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/issues">GitHub issue</a>)</i><br /><i><br /></i><i><br /></i></div>Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-15554663248983338062016-11-03T08:30:00.000+00:002016-11-03T08:30:00.158+00:00Conference for Security ChampionsEvery 6 to 12 months, it is a good idea to hold a conference exclusively dedicated to security champions, particularly for companies that have multiple locations, where its security champions don't meet regularly in person.<br /><br />At the conference, external speakers should present on specific topics.<br /><br />If there are already several external AppSec consulting companies under contract to the hosting company, the consultants involved in existing projects are perfect candidates to present to the conference. They can use their own examples and stories, and it is easier to present internal materials if all participants are signed-up to the same NDA (Non-Disclosure Agreement).<br /><br /><a name='more'></a>Never underestimate the power of team collaboration, or of team members getting to know each other. Social events are important, and the model of the OWASP Summit is also a good example of a conference for security champions, as is the Microsoft Blue Hat security conference.<br /><br class="Apple-interchange-newline" /><br /><i>(from&nbsp;<a href="https://leanpub.com/secdevops">SecDevOps Risk Workflow</a>&nbsp;book, please provide feedback as an&nbsp;<a href="https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/issues">GitHub issue</a>)</i><br /><div><i><br /></i></div>Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-63456951178996343752016-11-02T18:30:00.000+00:002016-11-02T18:30:01.062+00:00Create an Technology Advisory BoardOne of the biggest challenges in Agile and DevOps environments is the adoption rate of new technologies.<br /><br />To be as agile as possible, there is a tendency to adopt new technology whenever it appears to have an advantage. Common examples are cloud technology, analytic tools, continuous integration tools, container technology, web platforms and frameworks, and client-side frameworks.<br /><br /><a name='more'></a>To prevent the adoption of immature, insecure, or privacy-violating components, it is important to review desires and proposed solutions. The technology advisory board should take up this role. It should consist of people with security, privacy, and (some) legal knowledge. It is important not to make this a new 'change advisory board' with monthly review sessions, performing a complete business impact analysis. Rather, it should be in the form of a guild that can identify the maturity of the technology and the possible impact on the ecosystem when things go wrong. It can also act as a guard for implementing multiple tools with the same purpose.<br /><br />In this way, the total ecosystem can be as lean and secure as possible.<br /><br /><br class="Apple-interchange-newline" /><br /><i>(from&nbsp;<a href="https://leanpub.com/secdevops">SecDevOps Risk Workflow</a>&nbsp;book, please provide feedback as an&nbsp;<a href="https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/issues">GitHub issue</a>)</i><br /><div><i><br /></i></div>Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-29527974263215881162016-11-02T08:30:00.000+00:002016-11-02T08:30:06.661+00:00Inaction is a riskLacking the time to perform 'root cause analysis', or not understanding what caused a problem, are valid risks in themselves.<br /><br />It is key that these risk are accepted<br /><br />This is what makes them 'real', and what will motivate the business owner to allocate resources in the future. Specially when a similar problem occur.<br /><br /><br /><br /><i>(from&nbsp;<a href="https://leanpub.com/secdevops">SecDevOps Risk Workflow</a>&nbsp;book, please provide feedback as an&nbsp;<a href="https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/issues">GitHub issue</a>)</i><br /><div><i><br /></i></div><div><i><br /></i></div>Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-17934765558037908912016-11-01T17:30:00.000+00:002016-11-01T17:30:16.364+00:00Risk accepting threat modelIf you have trouble getting developer teams to create threat models, or to spend time on those threat models, then the solution is to make them accept the risk incurred from not having a threat model for the application.<br /><br />The idea is not to be confrontational. Instead, stating that a feature has no threat model is a very pragmatic, focused, and objective statement.<br /><br />The idea is that the developer team must accept that they don't have a threat model. The logic is to create a ticket that says there is no threat model, and the ticket will be closed when the threat model is created. Alternatively, if the developers and their management team don't want to spend the time creating a threat model, they must accept the risk of not having one.<br /><br />This can be difficult to accept, but it's an important part of the exercise.<br /><br /><br class="Apple-interchange-newline" /><br /><i>(from&nbsp;<a href="https://leanpub.com/secdevops">SecDevOps Risk Workflow</a>&nbsp;book, please provide feedback as an&nbsp;<a href="https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/issues">GitHub issue</a>)</i><br /><i><br /></i>Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-53885738045627027242016-11-01T09:00:00.000+00:002016-11-01T09:00:11.476+00:00How to review Applications as a Security ChampionWhen you review applications as a security champion, you need to start by looking at the application from the point of view of an attacker. In the beginning, this is the best way to learn.<br /><br />You should start thinking about data inputs, about everything that goes into the database, the application, all the entry points of the application. In short, think about everything an attacker could control, which could be anything from headers, to cookies, to sockets, to anything that enters the application.<br /><br />Authorization is also a great way to look at the application. Just looking at how you handle data, and how you authorise things, is a great way to understand how the application works.<br /><br /><br /><i>(from&nbsp;<a href="https://leanpub.com/secdevops">SecDevOps Risk Workflow</a>&nbsp;book, please provide feedback as an&nbsp;<a href="https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/issues">GitHub issue</a>)</i><br /><i><br /></i><i><br /></i>Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-66281409786240072292016-10-31T18:30:00.000+00:002016-10-31T18:30:09.143+00:00If you don't have a Security Champion, get a mug<div class="separator" style="clear: both; text-align: center;"><a href="https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/raw/bb919b1d48243743bb94e2a6708dba8ad4f3e249/content/2.Risk-workflow/Security-champions/If-you-dont-have-an-sc-get-a-mug/images/Security-champion-mug.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="240" src="https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/raw/bb919b1d48243743bb94e2a6708dba8ad4f3e249/content/2.Risk-workflow/Security-champions/If-you-dont-have-an-sc-get-a-mug/images/Security-champion-mug.jpg" width="320" /></a></div>If your developer team doesn't have an assigned security team champion, get one of these mugs.<br /><br />That 'Security Expert' mug represents the fact that, without a securit champion, when a developer has an application security question, he might as well ask the dude on that mug for help.<br /><br />I also like the fact that the mug reinforces the idea that for most developer teams, just having somebody assigned to application security is already a massive step forward!!<br /><br />Basically, we have such a skill shortage in our industry for application security developers that 'if you have a heart-beat you qualify'<br /><b></b><br /><a name='more'></a><b>How to create the SC Mug</b><br /><br />Get a mug with lots of white space on the front and back<br />write Security Champion at the front in large letters (but not so big that the text can't be read from a distance)<br />Alternatively, at the back write: It's me, or Google, or Stack Overflow<br />Or, if you have a small company stuffed animal or object, put it inside the mug<br />Put the mug in a central location, visible place to the team. It is important that the mug is a neutral place, and not 'assigned' to anybody.<br /><br />In some teams, I've seen the ritual that when a Security Champion is appointed, he/she gets the mug to put on his/her desk.<br /><br class="Apple-interchange-newline" /><br /><i>(from&nbsp;<a href="https://leanpub.com/secdevops">SecDevOps Risk Workflow</a>&nbsp;book, please provide feedback as an&nbsp;<a href="https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/issues">GitHub issue</a>)</i><br /><i><br /></i><i><br /></i>Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-62366457302117712232016-10-31T08:30:00.000+00:002016-10-31T08:30:13.197+00:00What it takes to be a Security ChampionTo become a security champion, it is essential that you want to be one.<br /><br />You need a mandate from the business that will give you at least half a day, if not one full day per week, to learn the role. The business should also provide the means to educate and train you and others who wish to become security champions. Increasing and spreading knowledge will increase awareness and control.<br /><br />You need to be a programmer, and understand code, because your job is to start looking at your application and understand its security properties. You should also know 'the tools of the trade', and how to implement them, in the most efficient way. Lastly, you must be able to identify useful metrics and instruct on how to obtain them.<br /><div class="post-body entry-content" id="post-body-7303500842476454238" itemprop="description articleBody" style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 14.85px; line-height: 1.4; position: relative; width: 797.778px;"><br class="Apple-interchange-newline" /><br style="font-size: 14.85px;" /><i style="font-family: arial, tahoma, helvetica, freesans, sans-serif; font-size: 14.85px;">(from&nbsp;<a href="https://leanpub.com/secdevops" style="color: #992211; text-decoration: none;">SecDevOps Risk Workflow</a>&nbsp;book, please provide feedback as an&nbsp;<a href="https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/issues" style="color: #992211; text-decoration: none;">GitHub issue</a>)</i><br style="font-size: 14.85px;" /><span style="font-family: arial, tahoma, helvetica, freesans, sans-serif; font-size: 14.85px;"><i><br /></i></span><div style="clear: both;"></div></div><div class="post-body entry-content" id="post-body-7303500842476454238" itemprop="description articleBody" style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 14.85px; line-height: 1.4; position: relative; width: 797.778px;"><span style="font-family: arial, tahoma, helvetica, freesans, sans-serif; font-size: 14.85px;"><i><br /></i></span></div>Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0tag:blogger.com,1999:blog-7061568054540301299.post-19638218974456920612016-10-30T21:30:00.000+00:002016-10-30T21:30:11.366+00:00If you have a heartbeat, you qualify!It is important to understand that AppSec skills are not a key requirement to become a security champion. The essential quality is to want to become one.<br /><br />I can make a good developer, who is interested and dedicated, into a good AppSec specialist in 6 months. If the developer is an expert in AppSec, then he should join the central AppSec team.<br /><div><br /><br /><i>(from <a href="https://leanpub.com/secdevops">SecDevOps Risk Workflow</a> book, please provide feedback as an <a href="https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/issues">GitHub issue</a>)</i><br /><i><br /></i><i><br /></i></div>Dinis Cruzhttps://plus.google.com/101331715302361457274noreply@blogger.com0